I don't understand what the security issue is here. Sounds like ESM is doing a good thing by passwording the console, but has a bug in the password change code. If they're using the MS Access native security, recovering the password is trivial, so in essence there is no security there at all. One could make a case that there should be, but the bug in password changing is hardly relevant to that. Finally, tech support's recommendation that the password be removed from the DB is perfectly reasonable when you consider that it is utterly useless anyway. ----- Scott Blake blakeat_private Security Program Manager BindView Corporation >-----Original Message----- >From: Bugtraq List [mailto:BUGTRAQat_private]On Behalf Of Todd >Sent: Wednesday, January 12, 2000 7:04 PM >To: BUGTRAQat_private >Subject: Password issue in Axent ESM 5.0.1 Console > > >Axent's latest release of its ESM product was redesigned and supposedly >revamped around it's new "Management Console". The new >management console >is based on an underlying Access Database. The console is password >protected each time the application is launched. However, when the user >wants to change the console password, the next time the application is >launched the database is inaccessible because the code does not >update the >password on the database file. It is reported that contact of Axent >resulted in being told to launch the MS Access DB file and >disable password >checking. >
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:28:07 PDT